The Greater Manchester Police in the UK has recently been assessed a penalty of £150,000 (reduced to £120,000 for early payment). While many publications are claiming that this figure primarily ties to the theft of a USB stick, the truth is that the Greater Manchester Police (GMP) was fined for not having better sense.

USB Stick Stolen is Part of a Pattern

According to the Monetary Penalty Notice filed in this case, an officer that worked with the GMP's Serious Crime Division ("mainly the Drug Squad") had his USB memory stick stolen on July 17, 2011. The device was kept in his wallet, which was stolen was stolen during a home burglary.

The officer in question was with the Serious Crime Division for over 10 years, and he used the USB stick to "create a backup of his folder and to enable the officer to access information when he was out of the office or at another site." A forensic, post-breach investigation revealed that information on 1,075 individuals was saved to the device and that it was not protected with encryption. This was against a September 2010 Chief Constable Orders (CCO) that instructed everyone to use an encrypted disk.

But the officer cannot be blamed directly, as he "was on leave at the time this CCO was issued," "never had any specific training on data protection," the use of encrypted storage media "was not effectively enforced," and "no further steps were taken to prevent the use of USB sticks other than encrypted ones."

Approximately 1,100 Unauthorized USB Sticks Used

Following the above incident, the GMP engaged in what's known in certain circles as "fixing the barn after the horses have fled CYA maneuver" (CYA being short for "Cover Your A--"). I call it prudence: the GMP declared amnesty for people not following the CCO, and rounded up all unauthorized USB sticks it could find.

The effort netted approximately 1,100 memory sticks and an admission that "some of the devices have still not been recovered."

It was further revealed in the Notice that GMP had a similar breach in 2010.

The management of such devices and licenses can pose a significant challenge to many organizations. However, ensuring that they're properly managed and deployed is necessary and beneficial for many reasons:

Increased data security. That's what the procurement was about, right?

Adequate use of financial resources. Nothing worse than having your money tied up on software that you're not using.

Indirect assessment of your problem. You bought 1,000 -- presumably because an assessment showed you needed 1,000 -- and still have 900 waiting to be deployed one year later. You've got a problem somewhere, buddy.

Plus, the fact that you won't be publicly shamed or that you'll end up owing more £100,000 to the government has its merits as well.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.